User Feedback Messages

| |

Home

This feature requires the Standard edition. You are running the Trial edition or your site domain is not associated with your license key. Please visit www.packflash.com to purchase an upgrade or add your domain.
Products
This feature requires the Standard edition. You are running the Trial edition or your site domain is not associated with your license key. Please visit www.packflash.com to purchase an upgrade or add your domain.
- Mobile Applications
  
  Data Springs Forum iPAD app
  
  Forum Flow
  
  Opt In Text
- DNN Modules
  
  The Collection 6.0
  
  The User Management Suite
  
  Dynamic Forms
  
  Dynamic Registration
  
  Dynamic Login
  
  Dynamic Views
  
  Dynamic User Directory
  
  Dynamic Contacts
  
  Dynamic Image Rotator
  
  News Ticker
  
  Opt In Email
  
  Opt In Text
  
  Quick Poll
  
  Dynamic Info Cube
  
  Random Rounded Images
  
  Stock Quote
  
  Back on Track
  
  Dynamic News Ticker
  
  Dynamic Tags
  
  Interactive User Import
  
  Page Tags
  
  Presentation Archive
  
  Real Estate Listing
  
  Renewal Reminder
  
  Tailored Text / HTML
Services

This feature requires the Standard edition. You are running the Trial edition or your site domain is not associated with your license key. Please visit www.packflash.com to purchase an upgrade or add your domain.
Get Quote
This feature requires the Standard edition. You are running the Trial edition or your site domain is not associated with your license key. Please visit www.packflash.com to purchase an upgrade or add your domain.
- Request Quote For
  
  Custom DotNetNuke Module Quote
  
  Web Design Quote
  
  Software Outsourcing
  
  SharePoint Web Parts
  
  Mobile Programming
  
  Custom Software
Support
This feature requires the Standard edition. You are running the Trial edition or your site domain is not associated with your license key. Please visit www.packflash.com to purchase an upgrade or add your domain.
- Community Support The Data Springs Product Forums is an excellent resource where you can find solutions to questions previously encountered by other users. Each product has its own category to help you narrow your search. It also offers forums for enhancement requests, user guides and general information.
- Training Data Springs can offer additional training through our Premium Support hours. The training classes can either be held onsite or via web meetings which can be organized according to your preferences.
- Standard Support Data Springs strives to deliver excellent support for our customers. There are multiple ways of accessing support that are outlined below.
  
  Product Support Agreement
  
  Common Support Questions
  
  User Guides
  
  Upgrade Policy
  
  License Options
  
  Contact Support
- Product Demonstrations
  
  Dynamic Forms Tutorials
  
  SharePoint Web Parts Demonstrations
  
  Dynamic Login w/ Content Localization
  
  Opt In Email w/ Content Localization
  
  Dynamic User Directory
- Premium Support Premium Support is offered for additional requirements beyond what is covered in Standard Support. Find out more details below...
  
  Premium Support Options
  
  Premium Hourly Support
  
  Premium Monthly Support
  
  Premium Quarterly Support
  
  Misc Payments Form
Resources
This feature requires the Standard edition. You are running the Trial edition or your site domain is not associated with your license key. Please visit www.packflash.com to purchase an upgrade or add your domain.
- Beta Springs Beta Springs is a web site dedicated to quality control and improvement of the Data Springs products. Please visit this site and request access to setup and test any product specific issue or to review fully functional products before purchase.
- Other Resources
  
  Recommended Vendors
  
  Clothing / Apparel
- RESX Localization Translation RESX Translate is an easy to use service for providing translation services within Visual Studio and ASP.NET resources files (.RESX Extension).
- RESX Localization Spell Checker RESX Spell Check is an easy to use service for providing spell check services within Visual Studio and ASP.NET resources files (.RESX Extension).
- Articles & Information
  
  SQL Performance/Code Security Articles
  
  Moss 2007/ 2010 Articles
  
  Ajax AspDotNet JQuery Articles
  
  Drupal Wordpress and Joomla Articles
  
  SQL Server Visual Studio Articles
  
  Android / iPhone / Mobile Articles
  
  Internet Marketing Articles
  
  DotNetNuke Articles
  
  HTML 5 Getting Started w/ HTML 5
News
This feature requires the Standard edition. You are running the Trial edition or your site domain is not associated with your license key. Please visit www.packflash.com to purchase an upgrade or add your domain.
- In the Press Check out recent press releases for Data Springs products, events, and media relations.
- Blog An online diary and web log from staff and customers for premium DotNetNuke resources, Data Springs Modules, SharePoint Web Parts, Forum Flow, iPhone/Android Mobile Apps, and Data Springs Services.
- Newsletter Get current news and events the easy way! Select the newsletters you would like to receive or enter your email address to view/modify your subscription settings.
Training

This feature requires the Standard edition. You are running the Trial edition or your site domain is not associated with your license key. Please visit www.packflash.com to purchase an upgrade or add your domain.

Great Ideas. Always Flowing.

We are not happy until you are happy. Client satisfaction guaranteed. Whatever your needs and requirements, we have the skills and resources for the job!

DNN Modules

Dynamic Forms

Dynamic Login

Dynamic Registration

Dynamic User Directory

Dynamic Views

Dynamic Image Rotator

Dynamic News Ticker

Info Pics

Interactive User Import

Page Tags

News Ticker

Opt In Email

Presentation Archive

Quick Poll

Random Rounded Images

Real Estate

Stock Quote Module

Testimonials

Dynamic Tags

Tailored Text / HTML

Dynamic Info Cube

Back on Track

Dynamic Contacts

SnowCovered Top Sellers

Dynamic Registration 4.0

Frustrated over the lack of customization for your user's registration fields? Dynamically setup your DNN Portal with custom registration fields, layout, questions, and other core integration options......

Ultra Video Gallery 4

Ultra Video Gallery is a brother product of Ultra Media Gallery, UVG allows you to upload videos in various format and automatically encode them to flv or H264 format, you also can add videos from internet or record live videos from your webcam.

XMod Pro 2.7 - Forms and Views for Databases

Build high performance, completely customizable data-entry forms and views driven by your DNN and external databases. New built-in tools make it a snap to quickly create data entry forms, data views, and even database tables. Plus, add your own HTML, CSS, Javascript, SQL commands, stored procedures,

Smith Shopping Cart v3.88

The most advanced DotNetNuke shopping cart on the planet. Easy to use e-Commerce, Secure Shopping Cart Software and SEO friendly. B2C / B2B Ecommerce Sites.

Event Calendar and Registration 4.0

One stop solution for events calendar and events registration! FREE DOWNLOAD is available now!

Popluar Tags

Tags

Secure Programming Tips - User Feedback Messages

Week 3: User Feedback Messages

One of the things we, as developers, try to do is create applications that are intuitive to our users. After all, what good is it to make a wonderfully functional application if the end user has to have a Ph.D. in order to understand how to use it? Some companies write vast amounts of documentation and training manuals as a way to provide an understanding of the application’s functionality. However, when a user is expected to enter a particular type of data into an input field, we aren’t going to waste our time or our user’s time writing documentation on input types. So what we do is provide instant feedback to the user in the form of messages. We may provide feedback when an error has occurred or when we want to confirm a user’s input or selection.

Providing feedback messages is an excellent way to interact with the user and it provides the user with a much better experience when he knows what is or isn’t expected. There’s nothing worse, from a user’s perspective, than an application which errors unexpectedly and doesn’t provide any feedback as to what may have caused it. Providing feedback messages to the user is an essential method for ensuring a positive user experience. However, as developers, we need to be aware of the types of messages we present to the user. There are occasions when we need to provide detailed feedback to the user, such as when a user enters invalid data into an input field. For example, if the user mistakenly enters numeric values into a name field we may provide detailed error message stating the only allowed characters are a-z.

On the other hand, there are times when we need to provide as generic an error message as possible, such as when a user’s login attempt has failed or when a user has accidentally locked out his account or has forgotten his password and uses the application’s functionality to reset it. These are three separate examples of when we would want to provide generic error messages, because if we provided detailed error messages a malicious user might use them to attack the application.

Failed login attempts are common. The more complex the user’s username or password, the more likely the user is to forget it or make errors, and attempt to login with invalid credentials. As developers, we need to inform our users when their login attempts have failed, but we need to ensure we do it in a safe and secure manner. Below are examples of bad feedback messages to a user whose login attempt has failed.

Figure 1 Figure 2

Both examples above are bad; why, because they reveal too much information to the user. While these two feedback messages reveal to the user which part of the login credentials are incorrect, they also reveal which part of the credentials may be valid. In either case a malicious user has potentially already harvested a valid password (Figure 1) or a valid username (Figure 2). This would allow an attacker to attempt a brute force attack against the system in an attempt to discover the second part of the login credentials. This attempted discovery of valid accounts is called account harvesting. Error messages such as those used above can aid a malicious user in discovering and harvesting valid account credentials. It is much safer, for both the application as well as the user, to provide a generic “login failed” error message (see Figure 3 below), as this mitigates the risk of exposing which portion of the login credentials is incorrect.

Figure 3

This same example holds true when a user has forgotten his password. If the user supplies an invalid username to request a forgotten password, and the feedback message states “Invalid Username” or “Unknown Account”, but reveals another message if the username supplied is valid, such as “New password has been emailed”, or the user is taken to another page or step in the process, these messages can also reveal to a malicious user that they have discovered some valid credentials.

Okay, so now we know what account harvesting is and how our feedback messages to our users can be used against us. As a developer we would need to take steps to implement generic feedback messages. Plus, we would want to take steps to prevent a malicious attacker from running a brute force attack against our login or forgotten password process in an attempt to discover valid account credentials. How would we do this? The first step would be to limit the number of invalid login attempts by a user. Ideally, we would want to limit this number to five or six invalid attempts. After the limit has been reached we would then lock the account and prevent even legitimate login attempts, using valid credentials, from occurring.

However, now that we’ve locked the user’s account how do we inform him of this? Would the feedback message provided below be a good idea or a bad one?

Figure 4

If you said the feedback message in Figure 4 was bad, give yourself a pat on the back, because it is a very bad idea to reveal to the user that his account has been locked. One thing to remember, we can never assume that the person attempting to use the application can be trusted. If a malicious user attempted to log into the application using the “asmith” username and received this message, he would know two things. One, that “asmith” is a valid account and two, they have just locked the real account holder user out of the application, thus preventing a login even with valid credentials. The worst case scenario in a situation like this can result in a complete DoS (Denial of Service) attack against all users attempting to access the application. DoS attacks aren’t just about massive requests to a server and consuming the bandwidth, DoS attacks can also be done at the application level as described above. If a malicious user successfully locks out a user’s account, they have denied the service of the application to that user.

Providing detailed feedback messages can cause major security issues with our applications. We never want to provide intimate details of an issue to the end user, because we can never ensure that the user is a valid account holder. It may place a greater inconvenience on your user base, but in the end the application is much more secure and your customers’ accounts are less likely to be compromised by a malicious attacker. Ideally, we would provide the same feedback message to the user regardless if it were an invalid login or if the account has been locked. The difference between feedback messages is the difference between protecting your customers’ accounts and having them compromised.

Feedback Comments

sanjay ProgrammingTipsWeek3 3/19/2013 2:56 AM
Hi

Bye

test ProgrammingTipsWeek3 1/28/2013 7:45 PM
test

test

karnam ProgrammingTipsWeek3 9/9/2012 10:38 PM
sdfas

asdfasd

Maca ProgrammingTipsWeek3 2/23/2012 8:28 AM
Cacat

This is a shitty message

hi ProgrammingTipsWeek3 1/27/2012 11:00 PM
hi

hiihii

sarthak ProgrammingTipsWeek3 1/26/2012 8:57 PM
list

mobile samsung galaxy fit rs-10990,cdma +gsm dual sim mobile papa wala,jahan se led leni hai market name square market/square regent near mcdi shop hai.jeans 30 waist,tshirt l size neha waise dekh laina depending on brand, sweatshirt,hand bag,chocolates baki dekh lena agar kuch acha lage ok by bhai

phemia ProgrammingTipsWeek3 2/20/2011 12:29 PM
navsharp module

Please a need a detailed information on how to install navsharp module on my website Submitted By: phemia

khaliff ProgrammingTipsWeek3 2/11/2011 12:23 PM
aksdajkdh

masdjnkajs Submitted By: khaliff

Ajay ProgrammingTipsWeek3 1/29/2011 3:54 AM
Ajay

Ajay Submitted By: Ajay

Anonymous AJAX_Article2 10/1/2007 12:26 AM
Error when not logged in

the article is fine if we are logged in but it will never work if you are an anonymous user. The following error i got when i am not logged in : Page cannot be null. Please ensure that this operation is being performed in the context of an ASP.NET request. If you this article please do so. Thank you

Comments per Page:

Page 1 of 2

First Previous [1] 2 Next Last

Feedback

Note: Required fields are marked with a

all others are optional.

Your Contact Information:

Email:

Enter your Email address

Name:

Enter your Name

Your Feedback:

Subject:

Enter the subject of your message

Message Body:

Please enter your message.

Security Code

Enter the security code.

Enter the code shown above into the box below.

Send Feedback

SharePoint Web Parts

All Data Springs Web Parts Support WSS 3.0, SharePoint 2007, and SharePoint 2010 Frameworks

Please select license option for each web part you wish to purchase. We highly recommend the SharePoint Bundle to get all Data Springs Web Parts for maximum value!

Cart

Data Springs Sharepoint Bundle

Best Value! The Bundle gives you all 5 web parts in one package at a very attractive price! Best Value! We think you will be very happy with the SharePoint bundle and great price discounts you will receive. With your purchase all of the web parts below will be included.

Random Image Web Part

With Random Image for Sharepoint 2007, you can select multiple images to display randomly when the web part loads...

Stock Quote Web Part

Giving your site visitors relevant information is critical. With the Data Springs Stock Web Part you can provide your users with up to date financial information

Dynamic Image Rotator Web Part

Who would have thought? Adobe Flash® with Sharepoint! The FIRST and ONLY image rotation web part for Sharepoint using Flash Technology from Adobe! The Dynamic Image Rotator displays selected images and then rotates between the images. Several extended and optional features allow you to select the time to rotate each image, fade between

SharePoint Charts Web Part

The MOSS Chart Web Part is a web part built by Data Springs for the purpose of rendering several chart types based on data from a SharePoint list on a MOSS 2007 or WSS 3.0 Site

Dynamic News Ticker Web Part

Provide current news items with a user-friendly news ticker for your Sharepoint Portal. With millions of web sites offering information you need a fun way to display information and the solution is Flash News Ticker....

Tailored Text Web Part

Tailored Text Web Part allows you to add text/html to your web site that can be different for anonymous users, registered users, and even individual users specifically.

Dynamic Views Web Part

Dynamic Views is an excellent tool to:
Personalization allows you to go the extra mile in communicating or connecting one to one with your clients. When it comes to technology and web site content, you now have the power to leverage this personalization directly with your users on your DotNetNuke® site

More